Been getting a few emails from Lets Encrypt nagging me about certificate renewal.
Decided to do manual update instead of waiting for cron
End result was
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/www.domain.co.uk/fullchain.pem (success)
DietPi-LetsEncrypt | RPi 2 Model B (armv7l) | IP:
however just prior to that
DietPi-LetsEncrypt
[FAILED] Setting could not be added after desired line
The pattern $4 "mod_.+", could not be found in file $3 /etc/lighttpd/lighttpd.conf
Please retry with valid parameter $4 or apply the setting manually:
"mod_setenv",
I just checked and this is the line in my lighty conf
# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Found the following certs:
Certificate Name: www.domain.co.uk
Domains: www.domain.co.uk
Expiry Date: 2019-06-01 20:16:51+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/www.domain.co.uk/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.domain.co.uk/privkey.pem
And the site is up fine. If you get 90 days would there be any point in a cron.monthly anyway or is LetsEncrypt sensible enough not to bother if cert is already valid?
OK so I just re-ran #dietpi-letsencrypt 1 and the second run outputted
Processing /etc/letsencrypt/renewal/www.domain.co.uk.conf
Cert not yet due for renewal
The following certs are not due for renewal yet:
/etc/letsencrypt/live/www.domain.co.uk/fullchain.pem (skipped)
No renewals were attempted.
Ignoring unknown module: dietpi-hsts
So that’s answered the renewal question
Ive pasted the following into /etc/cron.monthly/dietpit-letsencrypt
Action may be required to prevent your Let’s Encrypt certificate renewals from
breaking.
If you already received a similar e-mail, this one contains updated information.
Your Let’s Encrypt client used ACME TLS-SNI-01 domain validation to issue a
certificate in the past 12 days. Below is a list of names and IP addresses
validated (max of one per account):
TLS-SNI-01 validation is reaching end-of-life. It will stop working
permanently on March 13th, 2019. Any certificates issued before then will
continue to work for 90 days after their issuance date.
You need to update your ACME client to use an alternative validation method
(HTTP-01, DNS-01 or TLS-ALPN-01) before this date or your certificate renewals
will break and existing certificates will start to expire.
Our staging environment already has TLS-SNI-01 disabled, so if you’d like to
test whether your system will work after March 13, you can run against
staging: https://letsencrypt.org/docs/staging-environment/
Our forum has many threads on this topic. Please search to see if your question
has been answered, then open a new thread if it has not: https://community.letsencrypt.org/
The pattern $4 “mod_.+”, could not be found in file $3 /etc/lighttpd/lighttpd.conf
…
server.modules = ( “mod_access”,“mod_alias”, “mod_rewrite”, “mod_redirect”, “mod_setenv” )
This is indeed a one-liner in your lighttpd.conf? Hmm this is neither Debian default nor DietPi default, where every module has it’s own line so the command above does not fail.
However you can safely ignore it since “mod_setenv” is already inside.
You are on Raspbian Stretch, right? There is a systemd unit installed with certbot that does the renewal attempt two times a day, check: systemctl status certbot
In case of Jessie (should be not the case with RPi), we place a weekly cron job: cat /etc/cron.weekly/dietpi-letsencrypt
So please remove your monthly cron job in every case, it is obsolete and not really made for non-interactive execution. As of the already present systemd or cron job, certbot renew instead is the way to go.
About the TLS-SNI-01 error:
Please run G_AGI certbot to update the package which should install cerbot v0.28 which resolves the issue.
Then run certbot renew to check if everything is going right as expected.
